The Meaning Of TJXs $168 Million Data Breach Cost

Updated: News Analysis: Is TJX's possible $168 million hit for its data breach anything more than a cost of doing business?

With all the numbers that TJX Companies issued in its Aug. 14 earnings statement, the one that has generated the most attention was an estimated $168 million hit associated with the data breach announced in January, which saw consumer information from an estimated 46 million debit and credit cards walk out the door.
The numbers were sliced and diced many ways. About $118 million in after-tax costs taken in the most recent quarter alone, plus $21 million projected as a possible hit for next year on top of $29 million already reported in prior quarters. The Boston Globe quoted a TJX official saying that the $118 million quarterly after-tax figure was about $196 million pretax and that the $21 million for next year was about $35 million pretax. A chart issued by TJX gives a six-month data breach cost of $215.9 million, without explanation.

But a closer look at those numbers suggests both a more dire and a more optimistic perspective.

First, the optimistic side. TJX officials did not, in fact, say that they actually have spent—or necessarily will spend—anything more than a tiny fraction of those dollars. The overwhelmingly largest charge—a $107 million after-tax figure for the chains second 2008 fiscal quarter—was merely a "reserve," a nest egg for what TJX fears its costs may be. Theoretically, its costs might be much lower.
Read more here about the lawsuit filed against TJX in response to the data breach.
Continuing on the optimistic side, those costs are not causing severe financial strain on the $17 billion retail giant, especially given that its revenue is still soaring, meaning that consumers have strongly embraced TJX and are presumably not being impacted by the breach. For the six months ending July 28, the Framingham, Mass., chain reported $8.4 billion in revenue, an almost 8 percent increase from the $7.8 billion it reported for the prior years identical quarter.

Are these figures merely the cost of doing business and an acceptable cost at that? To get a sense of that, its important to drill down into what these numbers truly represent.
TJXs official word on its cash reserve need is that it represents TJXs "estimation of probable losses, in accordance with generally accepted accounting principles, based on the information available to the Company as of August 14, 2007, and includes an estimation of total, potential cash liabilities from pending litigation, proceedings, investigations and other claims as well as legal and other costs and expenses, arising from the intrusion."
Given the cost of updating security systems for a chain this large as well as legal fees for merely dealing with the many civil lawsuits that arose from the breachs disclosure, those are not particularly large figures. Indeed, its hard to argue that the estimates assume TJX will face relatively small jury awards, assuming any of this litigation ever gets to a jury.
What does all this mean for retailers trying to decide the cost of being breached? On the plus side, TJX officials think they will do well in most—if not all—of their litigation defenses, including costs to be associated with an expected settlement with dozens of state attorney generals.
On the negative side, thats quite a high price tag for a company that may ultimately be proven to have done no wrong. Please note the emphasis on "proven," to avoid angry e-mails from readers who confuse whats provably wrong with what is actually wrong. Provably wrong involves what damages can be proven at trial and can be reasonably blamed on TJX. Will juries and judges view TJX as a victim of brilliant cyber thieves or as a massive company that cut corners and was reckless with consumer private information? TJX seems to be betting on the former.
Page 2: The Meaning Of TJXs $168 Million Data Breach Cost

Evan Schuman is the editor of CIOInsight.com's Retail industry center. He has covered retail technology issues since 1988 for Ziff-Davis, CMP Media, IDG, Penton, Lebhar-Friedman, VNU, BusinessWeek, Business 2.0 and United Press International, among others. He can be reached by e-mail at Evan.Schuman@ziffdavisenterprise.com.